Reading an answer to another question ("Is there a method of generating site-specific passwords which can be executed in my own head?") I came across this link, describing a way to use a physical token (a tabula recta with randomly generated characters) to derive different passwords for different sites (choose a cell using the site name and some rule, follow another rule to get the chars that compose your password). I was curious about whether or not that would be a good practice.

The author claims to be an expert in computer security, and as far as I can tell his reasoning looks sound. He does make the caveat that "the security of this system rests on the randomness of the generated characters and the piece of paper." (emphasis mine) In other words, if an adversary gains access to your token, it's over, that I understand (it's easy to show that a dictionary attack can be performed with it*).

However, I'm having trouble determining whether or not the risk of losing the token combined with the consequences of this event would render this practice unfeasible, or whether those can be mitigated somehow. I believe the risk of forgetting a password (especially if not reused across sites, as it shouldn't) is far greater than of being (personally) targeted by a malicious adversary, and password managers are a bit awkward to use. I'd like to know about pros and cons of this technique, and maybe ways in which it can be improved/made feasible (preferably concerning the practical use, I believe the crypto aspect should be self-evident).

*
To perform a dictionary attack, just take each cell of your token (unless you're using a really big piece of paper, there won't be over a few dozen or hundreds of cells) and follow any rule that a human can reasonably follow "by hand" (diagonals, spirals, knight jumps, etc). There shouldn't be many of them (let's be optimistic and say a hundred), and since there will be exactly 1 sequence of N characters starting from a single cell and following the same rule (regardless of N), that leaves no more than 100k possibilities to test for each N (weaker than a 4 character alphanumeric password, for the sake of comparison).

2 Answers
2

A password generating token does mean a 'decently' strong password, compared to other manual/memory methods. It does not rely on a common repository of passwords like a password manager. The process is as portable as the token is, which means it could be used in areas where personal devices or internet connections are unavailable, which makes it superior to password managers.

Cons

It would not produce a sufficiently random password compared to automated password generators, but I would not go so far as to say 'not sound security'. A photo of the card is enough to start a dictionary attack, not just theft of the card. Loss of or damage to the card means a loss of all passwords associated with that token.

The other issue is that once someone has your token, they can perform that dictionary attack on all your accounts (and, perhaps with optimizations in pattern/pathing matching once the first successful match was found).

Mitigation

Placing the token in a polarized sleeve so that photos cannot be taken, and physically attaching the token so that it is not easily stolen might help. I was wondering about getting the token printed on a metal card with a hole punched in the corner. Limiting the number of accounts that use the card would also help. Consider printing both sides of a card with different random character sets and distribute accounts across both character sets.

Password Managers

I have used password managers frequently and I do not find them difficult to use or implement.

Conclusion

Both a physical token and a password manager represent a single point of failure and single point of attack, and as such, the impacts need to be carefully considered. Considering the password complexity that could be generated by a token like tabula recta, it might be very useful and more secure than relying on a user's memory in situations where other password reminders are not available.

Very insightful, in particular the photo possibility, never thought of that! The problem of loss/damage falls under the more general question of "how to backup your credential data", applicable to any situation where you have them stored somewhere (keyfiles, for instance) and not only in your memory. That's one of my concerns, but it's too broad to address here, so I'll leave it to another time (I believe some form of secret sharing might be one way of dealing with that).
–
mgibsonbrApr 14 '12 at 6:02

It's an interesting idea but not sound security. You are better off installing a password manager and having a totally random password for each site. I use LastPass and have used RoboForm and haven't found them to be too awkward. Certainly much less than having to look up your password on a chart.

The problem with these methods is that it makes it difficult to change your master password or token--doing so means changing passwords on every site based on it.

Yes, that would fall under "consequences", having to change the password for each site (and remembering/storing somewhere the list of sites you registered to). But still, the risk of losing the chart to an adversary is not that big, and this particular consequence is mild. I agree an usable password manager would be better anyway (though not without drawbacks). But I must point out that the strength of the password is not a concern, since the chart is supposed to be created using a CSPRNG, and there's little (if any) overlap between passwords for different sites.
–
mgibsonbrApr 8 '12 at 22:30

2

If one's password manager was compromised, one would have to go through the same process as someone who lost their password card. Both are a single point of failure.
–
schroeder♦Apr 13 '12 at 19:10